Security Center

Every aspect of our platform is built on a foundation of robust, multi-layered security controls. Below is a detailed overview of our technical implementation.

Identity & Access Control

Access to our systems and your data is governed by a strict, zero-trust framework designed to ensure only authorized actors can perform approved actions.

Multi-Factor Authentication (MFA): Every user account is protected by Email-based One-Time Password (OTP), Time-based One-Time Password (TOTP) via authenticator apps, and WebAuthn passkey support for enhanced security. For all internal staff, we enforce the use of FIDO2-compliant physical hardware security tokens for all critical systems.

Cryptographic Credential Storage: Passwords and recovery keys are never stored directly. We use industry-standard password hashing algorithms with a computationally expensive work factor and a unique salt for every credential, preventing rainbow table and reverse-hash attacks.

Secure Server-Side Session Management: To mitigate session hijacking, user sessions are not stored client-side. We store sessions securely in server-side databases, transmitted exclusively via secure-only cookies.

Principle of Least Privilege (IAM): Internal access is governed by a granular Role-Based Access Control (RBAC) system. Staff are granted only the minimum permissions necessary to perform their duties, enforced through internal authorization mechanisms.

Application & Data Security

Our application is architected to be resilient against modern web threats through secure coding practices, dependency management, and proactive defense mechanisms.

Cross-Site Scripting (XSS) Mitigation: All user-controllable content is treated as untrusted. Before rendering, it is sanitized using robust input cleansing mechanisms to neutralize the threat of malicious script injection and ensure content safety.

Cross-Site Request Forgery (CSRF) Defense: We utilize strong CSRF protection mechanisms to generate and validate unique, per-session anti-CSRF tokens for all state-changing routes, ensuring that all requests are legitimate and intentional.

Atomic Database Transactions: To ensure data integrity, all multi-step database operations are performed as atomic transactions (BEGIN, COMMIT). If any step fails, the entire operation is rolled back (ROLLBACK), preventing partial or corrupt data states.

Secure File Handling: File uploads are processed directly into memory buffers using multer.memoryStorage() to mitigate the risk of path traversal exploits and reducing the server's attack surface. Ticket files are scanned with industry standard virus, malware, and grayware software to prevent spread of malicious code.

Encryption In-Depth

We employ a multi-layered encryption strategy to protect your data throughout its entire lifecycle.

Encryption in Transit: All data transmitted between your device and our platform is protected with strong, industry-standard TLS 1.2+ encryption, enforced across all services.

Encryption at Rest: Our production databases on Google Cloud SQL, and all associated storage volumes and backups, are fully encrypted at rest by default using AES-256 encryption.

Encrypted Credential Management: Application secrets, API keys, and database credentials are never stored in our source code. They are stored and encrypted within Google Secret Manager and accessed securely via IAM roles at runtime.

Endpoint Encryption: We enforce a policy of mandatory full-disk encryption (e.g., FileVault, BitLocker) on all company workstations, safeguarding data in the event of physical device loss.

Infrastructure & Network Security

Our platform is built on the secure, scalable, and resilient infrastructure of Google Cloud Platform (GCP).

Hardened Runtime Environment: Our application runs on Google Cloud Run, a managed serverless platform that abstracts and secures the underlying infrastructure, ensuring it is always patched and configured according to Google's best practices.

Layered Firewall & DDoS Protection: We utilize GCP's global network, Web Application Firewall (WAF), and advanced security services, including built-in DDoS mitigation, to protect against network-level attacks.

Intelligent Threat & Bot Detection: We employ Google reCAPTCHA Enterprise on sensitive forms and API rate-limiting strategies on our API endpoints. This combination provides adaptive risk analysis to differentiate human users from credential stuffing, brute-force, and other automated attacks.

Geographic Redundancy: Our infrastructure is architected for redundancy, with services and data duplicated across multiple physical regions within the United States to ensure high availability and operational continuity.

Email Security: To protect against phishing and domain spoofing, we have implemented DMARC, DKIM, and SPF records for our sending domains.

Third-Party & Vendor Security

We extend our security standards to our partners, ensuring every part of our service chain is secure and compliant.

Zero PCI Scope Architecture: We partner with Stripe, a certified PCI DSS v4.0 Level 1 Service Provider. Your sensitive payment data is sent directly from your browser to Stripe's secure environment and never touches our servers, completely removing us from PCI scope.

Cryptographic Webhook Verification: We verify the cryptographic signature of every incoming webhook from our partners, like Stripe, to ensure its authenticity and integrity before any data is processed.

Strict Vendor Due Diligence: We only engage with third-party sub-processors that are SOC 2 compliant and undergo annual, independent penetration tests. We ensure our critical vendors adhere to global privacy frameworks like the Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP).

Operational Security & Auditing

Security is an active, continuous process involving vigilant monitoring, structured response, and a culture of accountability.

Immutable Audit Trail: Every significant platform event is recorded in a detailed, actor-centric audit trail via structured application-level logging. This log provides full traceability for security investigations and compliance reviews.

Formalized Change Management: All changes to our production environment follow a strict change control process, including peer review, automated testing, and logging, to ensure stability, security, and accountability.

Fail-Secure Design: Our application is designed to fail securely. Unhandled exceptions and promise rejections are caught at the process level, logged, and the application is terminated to prevent unknown states and potential data leakage.

Vulnerability & Patch Management

We are committed to the proactive identification and remediation of security vulnerabilities across our platform.

Continuous Vulnerability Scanning: Vulnerability scans are run on a daily basis to ensure that our applications and infrastructure are up to date.

Prioritized Remediation: Vulnerabilities detected by vulnerability scans, misconfigurations, configuration drift monitoring, penetration tests, or code reviews are patched and remediated based on their materiality.

Operational Continuity & Rapid Recovery: We proactively identify and remediate vulnerabilities, and maintain last-known configurations in a ready-to-redeploy state for rapid recovery. For our mission-critical services, we target a Recovery Time Objective (RTO) of less than 4 hours, aiming to restore operations swiftly after any disruption. Our Recovery Point Objective (RPO) is less than 1 hour, ensuring minimal potential data loss by frequently backing up critical information. The real-time status of our services can be viewed at status.verifythisseal.com .

Legal & Privacy

We believe transparency is a cornerstone of trust. Our legal policies are living documents, accessible to all users.

Version-Controlled Policies: Our Privacy Policy, Terms of Service, and Cookie Policy are maintained with version control. Current and historical versions are available on our site.

Privacy Law Compliance: We prioritize your privacy and never sell or share your personal information for targeted advertising on our site without your permission. Our services comply with US state privacy legislation (CPRA, CPA, CTDPA, DPDPA, FDBR [settings only], ICDPA, MCDPA, NHPA, NJDPA, OCPA, TDPSA, UCPA, VCDPA) and international law (GDRP).

Link Indicators

For your clarity and security awareness, we use distinct icons to indicate links that lead away from our site or initiate specific actions:

This external-link icon indicates a link to an external website, which will open in a new tab.

This envelope icon indicates an email link, which will open your default email client.

Just In Case

Beyond our secure-by-design architecture, VerifyThisSeal.com maintains comprehensive insurance coverage as a critical layer of defense, ensuring that even if a security incident were to occur despite our rigorous controls, we have a robust liability fall backs including.

Commercial General Liability Coverage

Professional Liability (Errors & Omissions) Coverage

Cyber Coverage: Includes vital cyber incident response services, forensic system review, and industry standard affected user support, such as breach notification and credit monitoring.

Responsible Disclosure

We value the contributions of the security research community and recognize the importance of a coordinated approach to vulnerability disclosure. If you have discovered a security vulnerability, we encourage you to let us know immediately. We welcome the opportunity to work with you to resolve the issue promptly.

Our program adheres to the following industry standards:

Coordinated Vulnerability Disclosure

Safe Harbor

Open Scope

Core Ineligible Findings

Detailed Platform Standards